[CVE-2013-3685][Root]Multiple LG Android devices, Sprite Software Backup

[osashi555]

Subject:
Race condition in Sprite Software's backup software, installed by OEM on LG Android devices.

Author:
Justin Case - [email protected]

CVE ID:
CVE-2013-3685

Effect:
Locally exploited vulnerability with minimal device user interaction which results in executing code as the root user. Under specific circumstances, it is possible to exploit this vulnerability without the device user's knowledge

Products:
"Backup"
"spritebud"

Vendors:
Sprite Software
LG Electronics
Potentially other vendors

Affected Versions:
spritebud 1.3.24
backup 2.5.4105
Likely others versions as well

Affected Devices (Subject to firmware configuration):
LG-E971 LG Optimus G
LG-E973 LG Optimus G
LG-E975 LG Optimus G
LG-E975K LG Optimus G
LG-E975T LG Optimus G
LG-E976 LG Optimus G
LG-E977 LG Optimus G
LG-F100K LG Optimus Vu
LG-F100L LG Optimus Vu
LG-F100S LG Optimus Vu
LG-F120K LG Optimus Vu
LG-F120L LG Optimus LTE Tag
LG-F120S LG Optimus LTE Tag
LG-F160K LG Optimus LTE 2
LG-F160L LG Optimus LTE 2
LG-F160LV LG Optimus LTE 2
LG-F160S LG Optimus LTE 2
LG-F180K LG Optimus G
LG-F180L LG Optimus G
LG-F180S LG Optimus G
LG-F200K LG Optimus Vu 2
LG-F200L LG Optimus Vu 2
LG-F200S LG Optimus Vu 2
LG-F240K LG Optimus G Pro
LG-F240L LG Optimus G Pro
LG-F240S LG Optimus G Pro
LG-F260K LG Optimus LTE 3
LG-F260L LG Optimus LTE 3
LG-F260S LG Optimus LTE 3
LG-L21 LG Optimus G
LG-LG870 LG (Unknown)
LG-LS860 LG Mach
LG-LS970 LG Optimus G
LG-P760 LG Optimus L9
LG-P769 LG Optimus L9
LG-P780 LG Optimus L7
LG-P875 LG Optimus F5
LG-P875h LG Optimus F5
LG-P880 LG Optimus 4X HD
LG-P940 LG Prada
LG-SU540 LG Prada 3.0
LG-SU870 LG Optimus 3D Cube
LG-US780 LG Lollipop
Potentially other devices as well.


Product Information:

"Backup" and "spritebud" are a setting and application backup/restore system written by Sprite Software and deployed on LG Android smartphones. "Backup" is the end user front end app, and "spritebud" is the service that preforms the backup and restore functions.


Details:

The "spritebud" daemon is started by the init scripts and runs as the root user. Listening on a unix socket, the daemon accepts instructions from the "Backup" app. Using a crafted backup, we can write to, change permission and change ownership of any file, being that "spritebud" is running under the root user.


The crafted backup contains restore data for our exploiting application, "com.cunninglogic.lgpwn". The data includes a 50mb dummy file (a) used to increase our exploit window, su binary (b), a script (c) to install su, and a text file (d) containing the path to our script. All files are owned by the application, and are world write/read/execute. All files are restored in alphabetical order. The entire backup, after compress, is approximately 2mb. The structure of this backup is as follows:


drwxrwxrwx u0_a114 u0_a114 2013-05-28 20:13 files


./files:
- -rwxr-xr-x u0_a114 u0_a114 52428800 2013-05-22 20:06 a
- -rwxr-xr-x u0_a114 u0_a114 91992 2013-05-22 20:07 b
- -rwxr-xr-x u0_a114 u0_a114 251 2013-05-22 20:12 c
- -rwxr-xr-x u0_a114 u0_a114 42 2013-05-22 20:07 d


Prior to restoration, our exploit app runs, watches the process and waits. During restoration, the spritebud daemon first creates the files directory, then sets it's permission and owner. Next it decompresses and restores the "a" file, our 50mb dummy files. During the restoration of "a", our exploit application has time to symlink "d", our text file containing the full path to our script (c), to /sys/kernel/uevent_helper. Upon restoration of file "d", our path is written to uevent_helper. When a hotplug even occurs (which occur every few seconds), the path contained in uevent_helper is execute by the kernel and our script (c) is executed and installs the su binary (b).

omg omg thank you man, you rock, finally managed to root my lg l9, props to you man, i didnt know how to check on spritebud and other stuff, but i said meh lets try it, i used root checker, it said im rooted,

 

[ecarlson]

Worked on my T-Mobile LG Optimus L9 P769 with the latest 20f Android version.

FYI: Not that it is directly relevant, but in case anyone is interested, I did a factory reset a few hours before I rooted it.

 

[jamespxcv]

Another Solution?

I was excited tried it out but did not work. I got the message:

CVE-2013-3685 POC by jcase

Can not find /system/xbin/spritebud, device may not be vulnerable.

I went to that file with ES File Manager but found another file named dexdump

 

[KindleUser]

This didn't work, I got the no SU Binary message, any help is appreciative, thanks! My phone model is in my sig if you need it.

EDIT: Nvm, I got it to work after 3 times, thanks man it really works still

 

[CeesitarJet]

Tested thanks!

Inviato dal mio GT-I9000 usando Tapatalk 4

 

[mikemoney]

Worked GREAT! thx

 

[lowcab311]

Rooted

Rooted on first try, thanks. Got phone yesterday, ota to p76920f, reset phone then ran lgpwn.

 

[FoneWatcher]

20h

Looks like 20h TMOUS is out in response to this vulnerability.

 

[reikred]

Tried LGSlap.apk on p769 20h, not successful

Justin,

I have had success with LGPwn.apk, which worked on LG Optimus L9 firmware version p769 20f (thanks) but not on version 20h, which I foolishly installed today.

I saw you mention earlier that you may have a new exploit and asked for a listing of ls -l /system/app. I have attached that listing from my phone to see if you have any other exploit suggestions for me.

Thanks
RR

 

[chadteck]

P769 V20h

It initially appeared that the exploit had been patched in P769 V20h, but I was able to get it to work.

What I did was restore the backup and prior to clicking the button to restart, plugged the phone into my computer. I was prompted with a SuperSU confirmation dialog and I granted access.

This hotplug wasn't necessary with previous ROM versions, but maybe something changed. I read that was how the exploit worked, so I thought I'd give it a try.

 

[Mactech.chris]

hot plug trick

It initially appeared that the exploit had been patched in P769 V20h, but I was able to get it to work.

What I did was restore the backup and prior to clicking the button to restart, plugged the phone into my computer. I was prompted with a SuperSU confirmation dialog and I granted access.

This hotplug wasn't necessary with previous ROM versions, but maybe something changed. I read that was how the exploit worked, so I thought I'd give it a try.

Thanks! The hot plug trick worked for me on P76920h

 

[reikred]

It initially appeared that the exploit had been patched in P769 V20h, but I was able to get it to work.

What I did was restore the backup and prior to clicking the button to restart, plugged the phone into my computer. I was prompted with a SuperSU confirmation dialog and I granted access.

This hotplug wasn't necessary with previous ROM versions, but maybe something changed. I read that was how the exploit worked, so I thought I'd give it a try.

Hmm, this still does not work with my t-mobile (US) p769 20h for me. In case it is significant: When I do the USB hotplug operation after restore, I choose the "LG Software Mode" as opposed to the other 3 USB modes that a popup shows me. I do NOT get a SuperSU permission dialog, although I have SuperSU installed from Google Play.

I also have already the SU binary:

shell@android:/ $ ls -l /system/xbin/su
-rwxr-xr-x root shell 91992 2013-07-27 11:12 su

 

[poke251]

Thanks! The hot plug trick worked for me on P76920h

Me too :good:

 

[spiceminesofkessel]

Does LGPwn Need to Remain on the Phone?

This worked great in rooting my LG P769 20h. It worked the first time without any issues. My only question is this: Is it okay to uninstall LGPwn after I have gained root with it? I don't need the 50MB of space and it doesn't bother me being on the phone, I'm just curious as to whether or not it needs to remain on the phone. Thank you for your work, jcase!

 

[Dimonius]

76020i (orange,poland) dont work

 

[NrgStunter]

LG P760 doesn't work 4.1.2 v20d brand rom, help me pls

 

[alaminok]

:good:

 

[mathorv]

Will the phone became unrootred after factory reset?
Factory state without signs of tampering, factory bootloader(which is in my understanding untouched here.

If rooting method will fail - how to erase obsolete files?

 

[devilanuj17]

bro,wherever you are,you are AWESOME,,,,

 

[jayfizze]

I have a LG Optimus L9 Running Firmware 20H I have been trying to root it using LGPWN for about an hour now .... IT KEEPS FAILING >>>>>>>> .... Thing is the phone was rooted yesterday and I wiped my data from it .... it did the OTA update immediately as it turned back on and i figured i cld just root it again when i needed to customize it ( I.E. NOW !!! ) but this keeps failing ... any ideas as to why ... im seeing post that it should work but it's not working for me ........ :crying: